Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

judgecorp writes "Google's privacy mechanism, which combines personal data from around 60 products, and gives users only one opportunity to opt out, was rolled out in March against requests from privacy regulators in Europe. Now they want the policy reversed, and user data from the different Google products, including Gmail, Search and YouTube, to be separated. The EU attack is lead by French regulator CNIL, which has historically taken a tough line on privacy matters."

Really, I don't see this as an issue if you're volunteering your personal info to Google anyway. I'm more worried by the tracking that Google does even if you're not logged in, say, via its ad and recaptcha services.

Really though, unlike with Intel or Microsoft, I've never felt like I have been wronged by Google, which is probably why my knee jerk reaction is that this is just another extortion racket and an organization hired to cause a stir.

My issue is that google is forcing me to broadcast my private stuff to strangers.Google's issue is that people leave embarassingly shitty comments on videos.

The obvious solution is just to turn off all personalization and feedback. However, Google -- stupidly -- is trying to build their own social network to rival Facebook. Their strategy is stupid, because for years they've triumphed by being better and less evil than the other guy. My approach was just to boycott other google products in favor of youtube. Unfortunately, there is no alternative to it. However, I use it rarely. In exchange for my rare preference for funny vids, Google lost some important social contacts and private emails that have gone to Facebook. Real smart move on their part, huh? Well, maybe it was -- until a youtube killer comes out, Google is number one there. However, their business model has changed for the worse. It's only a matter of time until someone less evil than Google arises, and then Google is toast.

What does opting out of a privacy policy mean? "I refuse to be bound by this policy, so there is no policy and you can do whatever you want with my data"? "I refuse to be bound by this one policy, I prefer a different policy on every google service I use"? And do you expect google (or anyone) to maintain code to implement every privacy policy they've ever had? How would that work?

Opting out of a privacy policy means not using the service. Wanting to use the service but refusing the privacy policy is much like wanting to eat at a restaurant but not wanting to pay your bill.

All the EU is doing is basically telling Google to put the data back in their individual silos and stop mising and churning it

And what defines "separate"? Facebook has a single privacy policy for your profile, photos, videos, blog posts, etc.

All the EU is really doing is politically motivated posturing: they don't like Google because the big European corporations their member governments are in bed with haven't figured out how to compete with Google.

That's one benefit Google got from combining the privacy policies - obviously the one which makes Google look worst so it's the reason most commonly trotted out. The flip side is by having each service have its own privacy policy, users had to keep track of each separate privacy policy (and Google's employees working on multiple products were uncertain of what they could and couldn't do with the data). Subtle differences between policies got lost amidst the similarities. Consolidating everything into a single unified "Google policy" made it easier for users to know what they were getting and for Google to know what it could do.

There are pros and cons to either approach. Anyone telling you one is universally better than the other is selling you something. Stripped of any nefarious advertising and creepy privacy invasion overtones, the default condition would be for Google to consolidate them into one policy simply to reduce bureaucracy and paperwork. So I think the onus should be on those advocating separate policies to justify why the benefits of having them separate outweigh the drawbacks.

Actually, there are no European companies trying to compete with Google and failing. There are no European companies even trying. (I think, the last one was Telefónica, which bought Lycos years ago, but put it to rest in 2008). So which are those imaginary corporations you are talking about?

I'm not sure how google is forcing you to broadcast private stuff; I don't
think they're forcing you to comment, are they? If you comment, and you know
that the comment will be tagged with your real name, then there is no force,
you just make a choice.

Easy. They are forcing you to choose between all your comments being around forever, or keeping quiet forever.

See, if one day you make a comment in real life to a friend, they probably won't remember next year what you said, and even so, nobody else is likely to even know what you said that day.

But Google spies on you all the time, and if you make a comment to a friend within range of a Google service, they will remember what you said in 10 years, and they will tell what you said to everybody who wants to snoop on you, for the rest of your life.

So your choice is: comment while being very careful what you say, or keep quiet. Better not use the internet while drunk, either.

Why does this need a session cookie? why does it need to update the list so incredibly frequently? Why send only partial keys?

Dude, take off the foil hat. I work at the big G (not on anti phishing) and all these concerns have been discussed publicly before. There is a cookie for anti-DoS purposes. Google has the ability to sink large amounts of HTTP traffic using smart load balancers which can handle way more requests than the backends they balance on to. During a DoS attack legitimate cookies that have been observed behaving in a non-abusive manner for a long time can be serviced whilst excluding requests that come in with no cookie or a freshly minted cookie. And let's face it - the anti-phishing system is designed to frustrate criminals, the kind of people who wouldn't hesitate to use DDoS attacks against a blacklisting service.

The list is updated frequently because phishing sites appear and disappear very fast.

If there was no partial server-side matching you could defeat the blocklist by simply using random filenames or ?q=abc suffixes on the phishing page (eg every spam you send with a phishing link could have a unique URL). Then a list of even a million URLs would be insufficient. By having partial/prefix matches that trigger a server side lookup more advanced logic can be used that doesn't require protocol changes to every client, in extreme cases you could even imagine hand crafted code that understands how to spot patterns in particularly tricky campaigns.